[PATCH 0 of 6] don't blindly trust .hg/hgrc files
Alexis S. L. Carvalho
alexis at cecm.usp.br
Wed Oct 18 04:52:14 UTC 2006
Hi
(patches also available at
http://www.cecm.usp.br/~alexis/cgi-bin/hgwebdir.cgi/asak/
)
Here's my current attempt at "don't load an arbitrary extension from a
.hg/hgrc file that you don't trust".
This patchset saves the settings from untrusted config files separately,
and only uses them when explicitly asked for (right now, only hgweb and
hgwebdir do it).
The first patch is essentially the same one that was previously applied:
it implements a notion of trusted/untrusted users and refuses to read
files from untrusted users.
The second one reads these untrusted files and saves the settings in a
separate configparser.
The third adds --untrusted to showconfig to show the untrusted settings.
The fourth allows one to ask patch.diffopts for untrusted settings
The fifth changes hgweb to ask for untrusted settings. The only
exceptions are web.static and web.templates - using these settings a
repo owner is be able to read any file readable by the user running
the CGI script.
The sixth changes hgwebdir to ask for untrusted settings.
Comments are more than welcome.
Alexis
More information about the Mercurial-devel
mailing list